Windows authentication: reasonable and gentle

Redmond's 'velvet glove'

Common Topics

Analysis Microsoft recently announced its latest ploy to extort more money from the public and further strengthen their software monopoly: they want to make you pay for a legal copy of Windows before you get any OS add-on features or updates. To make matters worse, they are even extending this restriction to security updates, potentially placing millions of software pirates and their families at risk. At least that's the way that some people see it.

From 7 February, Microsoft will add support for twenty new language versions of XP for their opt-in Windows Genuine Advantage program. Users of Norwegian, Czech and Simplified Chinese language versions of Windows will be required to verify the authenticity of their copy of Windows. By the second half of 2005, all users will be required to participate in the Windows Genuine Advantage program to download anything from the Microsoft Download Center or Windows Update.

But to avoid risks of leaving systems unpatched and vulnerable, Microsoft will still allow anyone to keep their copy of Windows updated through the Automatic Updates feature.

Nevertheless, since they first announced their Genuine Microsoft Advantage program, I have heard many lame arguments criticizing Microsoft's move to make this program mandatory. Is it really such a bad idea? Don't they have a right to ask people to pay? If you bought a scalped concert ticket that turned out to be a forgery, would you expect the concert promoters to let you in anyway?

Here are some of the arguments I have heard:

Pirates will just pirate the patches

Of course, people will likely be able to get the patches from the very sources where they pirated Windows. In the pirate community, where limited supply drives much of the initial motivation, Microsoft's announcement is good news. One anonymous source deeply involved in the 0-day warez scene told me: "This will just make hotfixes a viable release for us and we can probably distribute them faster than Microsoft anyway." The source explained: "We can have the release on exclusive topsites within a minute and to hundreds of dump sites within five." Within a couple hours, the hotfix would make it to many public websites, IRC channels, Usenet groups, and P2P networks.

In my opinion, this might be okay. This new policy won't stop piracy, but it will make it easier for me and my clients to avoid delayed updates due to congestion at Windows Update. Microsoft is providing greater value for those who have genuine copies of Windows and potentially increasing the risk of those who don't. If you got your copy of Windows through the warez scene, you can get your support there also.

People will circumvent the system

It is already possible to circumvent the system if you know what you are doing. Corporate Volume License Keys (VLKs) are frequently leaked on the Internet and there are now key generators that will provide you with a valid license that doesn't require activation.

Microsoft could spend millions of dollars in research and enforcement programs that make it nearly impossible to pirate Windows, but I'm glad they don't. They have taken reasonable steps to limit piracy but they haven't done this at a huge expense nor have they caused much inconvenience to most customers. They have taken steps to protect their software but they also know when to stop.

People just won't patch and we'll all pay the price

Perhaps the greatest fear is that by limiting access to patches, there will be a greater number of systems simply left unpatched, causing a security risk for everyone else in the world.

For those people who refuse to buy the software and are too dumb to steal the patches or circumvent the system, this is definitely a problem. On the other hand, if these people are that dumb, would we really expect them to be secure even if the patches are freely available?

To minimize this problem, Microsoft has still made all security updates available through Automatic Updates. According to a Microsoft spokesman: "Microsoft has no plans to stop providing security updates to all users via Automatic Updates."

By providing these patches via Automatic Updates, not only is Microsoft still providing them to the people who steal their software, but they're even making an effort to keep the pirates patched in a timely manner.

Windows already costs too much and isn't fairly priced for many countries

While it is a matter of opinion that Windows costs too much, it is accurate to say that it is too expensive for many people in many countries. If Windows cost you two months salary, purchasing the pirated copy on the street for a fraction of the price is a no-brainer. This is a sad reality facing many companies in our new global economy and I'm not sure there is a good solution to this.

Sure they could adjust the prices for each country based on their economy, but is it fair to make us pay more for the very same product? We have seen that problem with prescription drugs, resulting in many Americans looking to Mexico or Canada for cheaper sources. I'm sure Microsoft would love to find a good solution to this problem, and they have made such attempts as producing a stripped-down version of XP, but ultimately it's always going to be unfair to someone.

But even if Microsoft did reduce the price of Windows, would that really affect piracy? Some people would pirate software no how cheap it was or no matter how much they could afford it. Look at Winona Ryder; she certainly could have afforded the items she was caught shoplifting.

Only innocent consumers will be hurt by this

While other industries are suing their own customers and raiding college campuses, Microsoft has been quite sensitive to their customers in this issue. I sat at an MVP conference last year at Microsoft when Steve Ballmer discussed the authentication decision, and he was obviously conflicted. This is something they have put much thought into, and they likely see it not as a great solution but as the lesser of two evils.

To soften the blow and keep consumers happy, Microsoft is offering incentives valued at more than $450 for those who anonymously participate in the Windows Genuine Advantage program. Furthermore, in some countries they will offer users a genuine copy of Windows at a discounted price. Even after all this, if the user still chooses not to purchase Windows, Microsoft will not sue them or delete their copy of Windows. The pirate can even continue to use Automatic Update.

The main purpose of this program is to stop those companies who make money off innocent consumers by selling them computer systems with pirated copies of Windows. According to a Microsoft spokesman: "Twenty-three per cent of PCs in the US use a copy of Windows that is not genuine. Often the users are unaware that they have been sold counterfeit software."

This is Microsoft's effort at user education. This helps consumers and it helps those honest computer resellers who purchase a Windows license for every system they sell.

This will just make more people move to Linux or Macintosh

Okay, if you are that passionate about another OS, do you really need this as an excuse to switch? Price certainly shouldn't be the only consideration when selecting an operating system.

So while so many are screaming about the evils of Microsoft, most of their arguments just aren't that compelling. All Microsoft is asking is that you pay for the software you use, and the company is even rewarding you for coming clean. Sure, if you have a store selling counterfeit Windows licenses, you might expect a lawsuit. But the average consumer isn't the target here.

Like any company, Microsoft just wants to be paid for its work. Considering the pervasiveness of piracy, it's taking a pretty fair stance here. If you don't believe me, imagine what choices the RIAA would make if they were in charge of this decision.

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.